Windows如何保护过渡到内核模式? [英] How does Windows protect transition into kernel mode?
问题描述
Windows如何防止用户模式线程将CPU任意转换为内核模式?
How does Windows protect against a user-mode thread from arbitrarily transitioning the CPU to kernel-mode?
我了解这些是真的:
- 通过NTDLL进行系统调用时,用户模式线程实际上确实转换为内核模式.
- 通过特定于处理器的指令完成向内核模式的转换.
那么通过NTDLL进行的这些系统调用有何特别之处?用户模式线程为什么不能伪造它并执行处理器特定的指令以转换到内核模式?我知道我在这里缺少Windows体系结构的关键部分...是什么?
So what is special about these system calls through NTDLL? Why can't the user-mode thread fake-it and execute the processor-specific instructions to transition to kernel-mode? I know I'm missing some key piece of Windows architecture here...what is it?
推荐答案
您可能会认为在用户模式下运行的线程正在调用Ring 0,但这并不是实际发生的情况.用户模式线程引起了由"Ring 0"代码捕获的异常.用户模式线程被暂停,CPU切换到内核/ring 0线程,然后该线程可以检查用户模式线程的上下文(例如,调用堆栈和寄存器)以弄清楚该怎么做.在系统调用之前,它确实是一个异常,而不是专门用于调用ring 0代码的特殊异常.
You're probably thinking that thread running in user mode is calling into Ring 0, but that's not what's actually happening. The user mode thread is causing an exception that's caught by the Ring 0 code. The user mode thread is halted and the CPU switches to a kernel/ring 0 thread, which can then inspect the context (e.g., call stack and registers) of the user mode thread to figure out what to do. Before syscall, it really was an exception rather than a special exception specifically to invoke ring 0 code.
如果您接受其他回复的建议,并阅读在英特尔手册中,您会看到syscall/sysenter不带任何参数-操作系统决定发生什么情况.您不能调用任意代码. WinNT使用的功能编号映射用户模式代码将执行的内核模式功能(例如,在Windows XP计算机上,NtOpenFile为fnc 75h(数字一直变化;这是NTDll的工作之一是映射一个函数调用一个fnc编号,将其放在EAX中,将EDX指向传入的参数,然后调用sysenter.)
If you take the advice of the other responses and read the Intel manuals, you'll see syscall/sysenter don't take any parameters - the OS decides what happens. You can't call arbitrary code. WinNT uses function numbers that map to which kernel mode function the user mode code will execute (for example, NtOpenFile is fnc 75h on my Windows XP machine (the numbers change all the time; it's one of the jobs of NTDll is to map a function call to a fnc number, put it in EAX, point EDX to the incoming parameters then invoke sysenter).
这篇关于Windows如何保护过渡到内核模式?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
